Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2015-10-05 Fermilabs DevOps Alone in the Dark

34 views

Published on

2015-10-05 Fermilab's DevOps Alone in the Dark

Published in: Software
  • Be the first to comment

  • Be the first to like this

2015-10-05 Fermilabs DevOps Alone in the Dark

  1. 1. Alone in the Dark DevOps Primer for INFOSEC
  2. 2. WE’VE HEARD THE STORIES . . . . •  Mean time between deployments: 11.6s (310/hour) •  Max number of deployments in an hour: 1,079 •  Mean number of hosts receiving a deployment: 10,000
  3. 3. WE’VE HEARD THE STORIES . . . . •  2013: 30+ deploys/day •  March 2014: 50+ deploys/day •  April 2014: 80-90+/day
  4. 4. WE’VE HEARD DEV/OPS PROCESS . . .
  5. 5. Meanwhile, in Government . . .
  6. 6. MEANWHILE, IN GOVERNMENT . . .
  7. 7. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60)
  8. 8. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53)
  9. 9. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)
  10. 10. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)
  11. 11. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) AUTHORIZE (SP 800-37)
  12. 12. MEANWHILE, IN GOVERNMENT . . . CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) MONITOR (SP 800-37 / SP 800-53A) AUTHORIZE (SP 800-37)
  13. 13. INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES INITIATIVE #2: AUTOMATE ASSESSMENT
  14. 14. INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES -  Common Criteria modernization, -  driven by NSA and NIST -  Consolidate DoD STIG, USGCB into one baseline -  Operating System controls >500 (RHEL6), now ~20 (RHEL7)
  15. 15. INITIATIVE #2: AUTOMATE ASSESSMENT
  16. 16. Everyone knows that SCAP is a suite of XML standards for creating automated checklists for configuration and vulnerability scans!
  17. 17. Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP
  18. 18. HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap NIST SCAP Website: https://scap.nist.gov
  19. 19. Shawn Wells Director, Innovation Programs Red Hat Public Sector shawn@redhat.com 443-534-0130 CONTACT INFO

×